[saltcured]

I have a pretty conservative (paranoid?) security posture, where I do not want any banking app or any ability to initiate or confirm financial transactions via my smartphone. I don't even use non-free apps because I refuse to have a credit card associated with my phone and its app store.

I also don't like the idea of many sites/services trying to roll their own 2FA and introducing custom phone apps. I frankly do not trust most vendors to design nor write secure software. I want an interoperable standard so I can choose a trusted authenticator and enroll it with as many different services as I need. I want to use such sites with my desktop/laptop browser and like the idea of 2FA login or transaction approvals to limit the chances of unauthorized use.

I don't mind using the phone as a 2FA token, but I want to have extra tokens as backup in case the phone is lost or damaged. The yubikey seemed attractive in that way, but support is not as good nor widespread as I would need.

I discovered absurd things like a bank allowing multiple tokens to be enrolled, but automatically expiring them if I don't use them frequently. This blocks the idea of enrolling a backup token to store safely offline.

I also want to disable any SMS/phone call/email mechanism to do account recovery by sending secrets through an insecure channel. Otherwise, the 2FA tokens are mostly useless security theater. But, for most things I would care about personally, this is not offered even if you enroll multiple tokens.